@peac/schema 0.11.2 → 0.12.0-preview.1

package/README.md

@@ -1,6 +1,6 @@
 # @peac/schema
 
-PEAC Protocol JSON schemas, OpenAPI specs, and TypeScript types
+PEAC protocol schemas: Zod validators, TypeScript types, and pure validation functions. No I/O.
 
 ## Installation
 
@@ -8,9 +8,70 @@ PEAC Protocol JSON schemas, OpenAPI specs, and TypeScript types
 pnpm add @peac/schema
 ```
 
-## Documentation
+## What It Does
 
-See [peacprotocol.org](https://www.peacprotocol.org) for full documentation.
+`@peac/schema` is Layer 1 of the PEAC stack. It provides Zod schemas for all PEAC receipt types, validation functions, and utility functions like `computeReceiptRef()`. It contains only schemas and pure functions: no I/O, no network calls, no side effects.
+
+## How Do I Validate a Receipt?
+
+```typescript
+import { parseReceiptClaims } from '@peac/schema';
+
+const result = parseReceiptClaims(decodedPayload);
+
+if (result.ok) {
+  console.log(result.variant); // 'commerce' or 'attestation'
+  console.log(result.claims.iss); // validated issuer
+}
+```
+
+## How Do I Compute a Receipt Reference?
+
+```typescript
+import { computeReceiptRef } from '@peac/schema';
+
+const ref = await computeReceiptRef(jws);
+// 'sha256:a1b2c3...' (content-addressed, deterministic)
+```
+
+## How Do I Validate Evidence Before Signing?
+
+```typescript
+import { assertJsonSafeIterative } from '@peac/schema';
+
+const result = assertJsonSafeIterative(evidence);
+if (!result.safe) {
+  throw new Error(result.violations.join(', '));
+}
+```
+
+## How Do I Validate an Evidence Carrier?
+
+```typescript
+import { validateCarrierConstraints, CARRIER_TRANSPORT_LIMITS } from '@peac/schema';
+import type { PeacEvidenceCarrier, CarrierMeta } from '@peac/kernel';
+
+const carrier: PeacEvidenceCarrier = {
+  receipt_jws: jws,
+  receipt_ref: ref,
+};
+
+const meta: CarrierMeta = {
+  transport: 'mcp',
+  format: 'embed',
+  max_size: CARRIER_TRANSPORT_LIMITS.mcp,
+};
+
+const result = validateCarrierConstraints(carrier, meta);
+// result.valid: boolean, result.violations: string[]
+```
+
+## Integrates With
+
+- `@peac/kernel` (Layer 0): Types that schemas validate
+- `@peac/protocol` (Layer 3): Uses schemas for issuance and verification
+- `@peac/mappings-*` (Layer 4): Transport-specific carrier validation
+- All packages that handle receipt data
 
 ## License
 

package/dist/actor-binding.d.ts

@@ -0,0 +1,148 @@
+/**
+ * ActorBinding and MVIS (Minimum Viable Identity Set) Schemas (v0.11.3+)
+ *
+ * Implements DD-142 (ActorBinding), DD-143 (Multi-Root Proof Types),
+ * and DD-144 (MVIS) for the Agent Identity Profile.
+ *
+ * ActorBinding lives in ext["org.peacprotocol/actor_binding"] in Wire 0.1.
+ * ProofTypeSchema is SEPARATE from ProofMethodSchema (agent-identity.ts)
+ * to avoid breaking the v0.9.25+ API. Unification deferred to v0.12.0.
+ *
+ * @see docs/specs/AGENT-IDENTITY-PROFILE.md for normative specification
+ */
+import { z } from 'zod';
+/**
+ * Proof types for ActorBinding (DD-143).
+ *
+ * 8 methods covering attestation chains, RATS, keyless signing,
+ * decentralized identity, workload identity, PKI, and vendor-defined.
+ *
+ * SEPARATE from ProofMethodSchema (4 transport-level methods in agent-identity.ts).
+ * ProofMethodSchema covers how proof is transported (HTTP sig, DPoP, mTLS, JWK thumbprint).
+ * ProofTypeSchema covers the trust root model used to establish identity.
+ *
+ * The 'custom' type: implementers MUST document their proof semantics externally.
+ * proof_ref SHOULD use a reverse-DNS namespace (e.g., 'com.example.vendor/proof-type-v1').
+ */
+export declare const PROOF_TYPES: readonly ["ed25519-cert-chain", "eat-passport", "eat-background-check", "sigstore-oidc", "did", "spiffe", "x509-pki", "custom"];
+export declare const ProofTypeSchema: z.ZodEnum<{
+    "ed25519-cert-chain": "ed25519-cert-chain";
+    "eat-passport": "eat-passport";
+    "eat-background-check": "eat-background-check";
+    "sigstore-oidc": "sigstore-oidc";
+    did: "did";
+    spiffe: "spiffe";
+    "x509-pki": "x509-pki";
+    custom: "custom";
+}>;
+export type ProofType = z.infer<typeof ProofTypeSchema>;
+/**
+ * Validate that a string is an origin-only URL (scheme + host + optional port).
+ * Rejects URLs with path (other than '/'), query, or fragment components.
+ * This prevents correlation leakage and ambiguity in ActorBinding.
+ *
+ * Valid: "https://example.com", "https://example.com:8443"
+ * Invalid: "https://example.com/api/v1", "https://example.com?q=1", "https://example.com#frag"
+ */
+export declare function isOriginOnly(value: string): boolean;
+/**
+ * Extension key for ActorBinding in Wire 0.1 ext[].
+ */
+export declare const ACTOR_BINDING_EXTENSION_KEY: "org.peacprotocol/actor_binding";
+/**
+ * ActorBinding schema (DD-142).
+ *
+ * Binds an actor identity to a receipt via ext["org.peacprotocol/actor_binding"].
+ * Wire 0.2 moves this to a kernel field.
+ *
+ * - id: Stable actor identifier (opaque, no PII)
+ * - proof_type: Trust root model from DD-143 vocabulary
+ * - proof_ref: Optional URI or hash of external proof artifact
+ * - origin: Origin-only URL (scheme + host + optional port; no path/query/fragment)
+ * - intent_hash: Optional SHA-256 hash of the intent (hash-first per DD-138)
+ */
+export declare const ActorBindingSchema: z.ZodObject<{
+    id: z.ZodString;
+    proof_type: z.ZodEnum<{
+        "ed25519-cert-chain": "ed25519-cert-chain";
+        "eat-passport": "eat-passport";
+        "eat-background-check": "eat-background-check";
+        "sigstore-oidc": "sigstore-oidc";
+        did: "did";
+        spiffe: "spiffe";
+        "x509-pki": "x509-pki";
+        custom: "custom";
+    }>;
+    proof_ref: z.ZodOptional<z.ZodString>;
+    origin: z.ZodString;
+    intent_hash: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type ActorBinding = z.infer<typeof ActorBindingSchema>;
+/**
+ * MVIS (Minimum Viable Identity Set) fields (DD-144).
+ *
+ * 5 required fields for any identity receipt to be considered complete.
+ * validateMVIS() is a pure validation function with zero I/O (DD-141).
+ *
+ * Fields:
+ * - issuer: Who issued the identity assertion
+ * - subject: Who the identity is about (opaque identifier)
+ * - key_binding: Cryptographic binding to a key (kid or thumbprint)
+ * - time_bounds: Validity period with not_before and not_after
+ * - replay_protection: Unique token ID (jti) and optional nonce
+ */
+export declare const MVISTimeBoundsSchema: z.ZodObject<{
+    not_before: z.ZodString;
+    not_after: z.ZodString;
+}, z.core.$strict>;
+export type MVISTimeBounds = z.infer<typeof MVISTimeBoundsSchema>;
+export declare const MVISReplayProtectionSchema: z.ZodObject<{
+    jti: z.ZodString;
+    nonce: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type MVISReplayProtection = z.infer<typeof MVISReplayProtectionSchema>;
+export declare const MVISFieldsSchema: z.ZodObject<{
+    issuer: z.ZodString;
+    subject: z.ZodString;
+    key_binding: z.ZodString;
+    time_bounds: z.ZodObject<{
+        not_before: z.ZodString;
+        not_after: z.ZodString;
+    }, z.core.$strict>;
+    replay_protection: z.ZodObject<{
+        jti: z.ZodString;
+        nonce: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type MVISFields = z.infer<typeof MVISFieldsSchema>;
+/**
+ * Validate an ActorBinding object.
+ *
+ * @param data - Unknown data to validate
+ * @returns Result with validated ActorBinding or error message
+ */
+export declare function validateActorBinding(data: unknown): {
+    ok: true;
+    value: ActorBinding;
+} | {
+    ok: false;
+    error: string;
+};
+/**
+ * Validate MVIS fields (DD-144).
+ *
+ * Pure validation function with zero I/O (DD-141).
+ * Checks that all 5 required fields are present and valid.
+ * Also validates that time_bounds.not_before < time_bounds.not_after.
+ *
+ * @param data - Unknown data to validate
+ * @returns Result with validated MVIS fields or error message
+ */
+export declare function validateMVIS(data: unknown): {
+    ok: true;
+    value: MVISFields;
+} | {
+    ok: false;
+    error: string;
+};
+//# sourceMappingURL=actor-binding.d.ts.map

package/dist/actor-binding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"actor-binding.d.ts","sourceRoot":"","sources":["../src/actor-binding.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAMxB;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,WAAW,iIASd,CAAC;AAEX,eAAO,MAAM,eAAe;;;;;;;;;EAAsB,CAAC;AACnD,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAMxD;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAyCnD;AAMD;;GAEG;AACH,eAAO,MAAM,2BAA2B,EAAG,gCAAyC,CAAC;AAErF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;kBAyBpB,CAAC;AAEZ,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAM9D;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oBAAoB;;;kBAOtB,CAAC;AAEZ,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE,eAAO,MAAM,0BAA0B;;;kBAO5B,CAAC;AAEZ,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAE9E,eAAO,MAAM,gBAAgB;;;;;;;;;;;;kBAiBlB,CAAC;AAEZ,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAM1D;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,OAAO,GACZ;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,YAAY,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAMlE;AAED;;;;;;;;;GASG;AACH,wBAAgB,YAAY,CAC1B,IAAI,EAAE,OAAO,GACZ;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAoBhE"}

package/dist/dispute.d.ts

@@ -317,9 +317,9 @@ export type DisputeResolution = z.infer<typeof DisputeResolutionSchema>;
  * - 'did': Decentralized identifier
  */
 export declare const ContactMethodSchema: z.ZodEnum<{
+    did: "did";
     email: "email";
     url: "url";
-    did: "did";
 }>;
 export type ContactMethod = z.infer<typeof ContactMethodSchema>;
 /**
@@ -329,9 +329,9 @@ export type ContactMethod = z.infer<typeof ContactMethodSchema>;
  */
 export declare const DisputeContactSchema: z.ZodObject<{
     method: z.ZodEnum<{
+        did: "did";
         email: "email";
         url: "url";
-        did: "did";
     }>;
     value: z.ZodString;
 }, z.core.$strict>;
@@ -409,9 +409,9 @@ export declare const DisputeEvidenceSchema: z.ZodObject<{
     }, z.core.$strict>>>;
     contact: z.ZodOptional<z.ZodObject<{
         method: z.ZodEnum<{
+            did: "did";
             email: "email";
             url: "url";
-            did: "did";
         }>;
         value: z.ZodString;
     }, z.core.$strict>>;
@@ -540,9 +540,9 @@ export declare const DisputeAttestationSchema: z.ZodObject<{
         }, z.core.$strict>>>;
         contact: z.ZodOptional<z.ZodObject<{
             method: z.ZodEnum<{
+                did: "did";
                 email: "email";
                 url: "url";
-                did: "did";
             }>;
             value: z.ZodString;
         }, z.core.$strict>>;

package/dist/errors.d.ts

@@ -10,7 +10,7 @@ export type { ErrorCategory };
  * @deprecated Use ERROR_CATEGORIES from @peac/kernel instead.
  * Re-exported for backwards compatibility.
  */
-export declare const ERROR_CATEGORIES_CANONICAL: readonly ["attribution", "bundle", "control", "dispute", "identity", "infrastructure", "interaction", "ucp", "validation", "verification", "verifier", "workflow"];
+export declare const ERROR_CATEGORIES_CANONICAL: readonly ["attribution", "bundle", "control", "cryptography", "dispute", "identity", "infrastructure", "interaction", "ucp", "validation", "verification", "verifier", "workflow"];
 /**
  * Error severity
  */
@@ -127,6 +127,7 @@ export declare const ERROR_CODES: {
     readonly E_WORKFLOW_SUMMARY_INVALID: "E_WORKFLOW_SUMMARY_INVALID";
     readonly E_WORKFLOW_CYCLE_DETECTED: "E_WORKFLOW_CYCLE_DETECTED";
     readonly E_CONSTRAINT_VIOLATION: "E_CONSTRAINT_VIOLATION";
+    readonly E_INVALID_EXTENSION_KEY: "E_INVALID_EXTENSION_KEY";
 };
 /**
  * Error code type

package/dist/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,YAAY,EAAE,aAAa,EAAE,CAAC;AAE9B;;;GAGG;AACH,eAAO,MAAM,0BAA0B,oKAA0B,CAAC;AAElE;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,SAAS,CAAC;AAEhD;;;;;;;;GAQG;AACH,MAAM,WAAW,SAAS;IACxB;;;;;;;;;;;OAWG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;;;OAIG;IACH,QAAQ,EAAE,aAAa,CAAC;IAExB;;;;;OAKG;IACH,QAAQ,EAAE,aAAa,CAAC;IAExB;;;;;OAKG;IACH,SAAS,EAAE,OAAO,CAAC;IAEnB;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;;;;;OAQG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;;OAKG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;GAIG;AACH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;CAoCd,CAAC;AAEX;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,OAAO,WAAW,CAAC,CAAC;AAEvE;;GAEG;AACH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,aAAa,EACvB,QAAQ,EAAE,aAAa,EACvB,SAAS,EAAE,OAAO,EAClB,OAAO,CAAC,EAAE;IACR,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,SAAS,CAQX;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,SAAS,CAQjG;AAMD;;;;GAIG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAO7E;AAED;;;;GAIG;AACH,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,aAAa,GAAG,kBAAkB,GAAG,OAAO,GACnD,SAAS,CAYX;AAMD;;;;;GAKG;AACH,wBAAgB,8BAA8B,CAC5C,UAAU,EAAE,KAAK,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC,GACD,SAAS,CAWX"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,YAAY,EAAE,aAAa,EAAE,CAAC;AAE9B;;;GAGG;AACH,eAAO,MAAM,0BAA0B,oLAA0B,CAAC;AAElE;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,SAAS,CAAC;AAEhD;;;;;;;;GAQG;AACH,MAAM,WAAW,SAAS;IACxB;;;;;;;;;;;OAWG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;;;OAIG;IACH,QAAQ,EAAE,aAAa,CAAC;IAExB;;;;;OAKG;IACH,QAAQ,EAAE,aAAa,CAAC;IAExB;;;;;OAKG;IACH,SAAS,EAAE,OAAO,CAAC;IAEnB;;;;;;;;;OASG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;;;;;OAQG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;;OAKG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;GAIG;AACH,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;CAuCd,CAAC;AAEX;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,OAAO,WAAW,CAAC,CAAC;AAEvE;;GAEG;AACH,wBAAgB,eAAe,CAC7B,IAAI,EAAE,SAAS,EACf,QAAQ,EAAE,aAAa,EACvB,QAAQ,EAAE,aAAa,EACvB,SAAS,EAAE,OAAO,EAClB,OAAO,CAAC,EAAE;IACR,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,SAAS,CAQX;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC,MAAM,GAAG,MAAM,CAAC,EAAE,GAAG,SAAS,CAQjG;AAMD;;;;GAIG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAO7E;AAED;;;;GAIG;AACH,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,aAAa,GAAG,kBAAkB,GAAG,OAAO,GACnD,SAAS,CAYX;AAMD;;;;;GAKG;AACH,wBAAgB,8BAA8B,CAC5C,UAAU,EAAE,KAAK,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC,GACD,SAAS,CAWX"}

package/dist/extensions/control-action.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Control Action Extension Schema (v0.11.3+, DD-145 ZT Pack)
+ *
+ * Records access control decisions in ext["org.peacprotocol/control_action"].
+ * Actions: grant, deny, escalate, delegate, audit.
+ * Triggers: policy_evaluation, manual_review, anomaly_detection, scheduled, event_driven.
+ */
+import { z } from 'zod';
+export declare const CONTROL_ACTION_EXTENSION_KEY: "org.peacprotocol/control_action";
+/**
+ * Control action types
+ */
+export declare const CONTROL_ACTIONS: readonly ["grant", "deny", "escalate", "delegate", "audit"];
+export declare const ControlActionTypeSchema: z.ZodEnum<{
+    deny: "deny";
+    grant: "grant";
+    escalate: "escalate";
+    delegate: "delegate";
+    audit: "audit";
+}>;
+export type ControlActionType = z.infer<typeof ControlActionTypeSchema>;
+/**
+ * Control action triggers
+ */
+export declare const CONTROL_TRIGGERS: readonly ["policy_evaluation", "manual_review", "anomaly_detection", "scheduled", "event_driven"];
+export declare const ControlTriggerSchema: z.ZodEnum<{
+    policy_evaluation: "policy_evaluation";
+    manual_review: "manual_review";
+    anomaly_detection: "anomaly_detection";
+    scheduled: "scheduled";
+    event_driven: "event_driven";
+}>;
+export type ControlTrigger = z.infer<typeof ControlTriggerSchema>;
+/**
+ * Control Action extension schema
+ */
+export declare const ControlActionSchema: z.ZodObject<{
+    action: z.ZodEnum<{
+        deny: "deny";
+        grant: "grant";
+        escalate: "escalate";
+        delegate: "delegate";
+        audit: "audit";
+    }>;
+    trigger: z.ZodEnum<{
+        policy_evaluation: "policy_evaluation";
+        manual_review: "manual_review";
+        anomaly_detection: "anomaly_detection";
+        scheduled: "scheduled";
+        event_driven: "event_driven";
+    }>;
+    resource: z.ZodOptional<z.ZodString>;
+    reason: z.ZodOptional<z.ZodString>;
+    policy_ref: z.ZodOptional<z.ZodString>;
+    action_at: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type ControlAction = z.infer<typeof ControlActionSchema>;
+/**
+ * Validate a ControlAction object.
+ */
+export declare function validateControlAction(data: unknown): {
+    ok: true;
+    value: ControlAction;
+} | {
+    ok: false;
+    error: string;
+};
+//# sourceMappingURL=control-action.d.ts.map

package/dist/extensions/control-action.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"control-action.d.ts","sourceRoot":"","sources":["../../src/extensions/control-action.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,4BAA4B,EAAG,iCAA0C,CAAC;AAEvF;;GAEG;AACH,eAAO,MAAM,eAAe,6DAA8D,CAAC;AAE3F,eAAO,MAAM,uBAAuB;;;;;;EAA0B,CAAC;AAC/D,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAExE;;GAEG;AACH,eAAO,MAAM,gBAAgB,mGAMnB,CAAC;AAEX,eAAO,MAAM,oBAAoB;;;;;;EAA2B,CAAC;AAC7D,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;kBAoBrB,CAAC;AAEZ,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,OAAO,GACZ;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,aAAa,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAMnE"}

package/dist/extensions/credential-event.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Credential Event Extension Schema (v0.11.3+, DD-145 ZT Pack)
+ *
+ * Records credential lifecycle events in ext["org.peacprotocol/credential_event"].
+ * Events: issued, leased, rotated, revoked, expired.
+ *
+ * credential_ref is an opaque fingerprint reference (DD-146): schema validates
+ * format only (prefix + hex). Issuers compute values externally; verifiers
+ * MUST NOT assume they can recompute the reference.
+ */
+import { z } from 'zod';
+export declare const CREDENTIAL_EVENT_EXTENSION_KEY: "org.peacprotocol/credential_event";
+/**
+ * Credential lifecycle events
+ */
+export declare const CREDENTIAL_EVENTS: readonly ["issued", "leased", "rotated", "revoked", "expired"];
+export declare const CredentialEventTypeSchema: z.ZodEnum<{
+    issued: "issued";
+    leased: "leased";
+    rotated: "rotated";
+    revoked: "revoked";
+    expired: "expired";
+}>;
+export type CredentialEventType = z.infer<typeof CredentialEventTypeSchema>;
+export declare const CredentialRefSchema: z.ZodString;
+/**
+ * Credential Event extension schema
+ */
+export declare const CredentialEventSchema: z.ZodObject<{
+    event: z.ZodEnum<{
+        issued: "issued";
+        leased: "leased";
+        rotated: "rotated";
+        revoked: "revoked";
+        expired: "expired";
+    }>;
+    credential_ref: z.ZodString;
+    authority: z.ZodString;
+    expires_at: z.ZodOptional<z.ZodString>;
+    previous_ref: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type CredentialEvent = z.infer<typeof CredentialEventSchema>;
+/**
+ * Validate a CredentialEvent object.
+ */
+export declare function validateCredentialEvent(data: unknown): {
+    ok: true;
+    value: CredentialEvent;
+} | {
+    ok: false;
+    error: string;
+};
+//# sourceMappingURL=credential-event.d.ts.map

package/dist/extensions/credential-event.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-event.d.ts","sourceRoot":"","sources":["../../src/extensions/credential-event.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,8BAA8B,EAAG,mCAA4C,CAAC;AAE3F;;GAEG;AACH,eAAO,MAAM,iBAAiB,gEAAiE,CAAC;AAEhG,eAAO,MAAM,yBAAyB;;;;;;EAA4B,CAAC;AACnE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAS5E,eAAO,MAAM,mBAAmB,aAG9B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;kBAuBvB,CAAC;AAEZ,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,OAAO,GACZ;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,eAAe,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAMrE"}

package/dist/extensions/fingerprint-ref.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Fingerprint Reference Conversion Functions (v0.11.3+, DD-146)
+ *
+ * Pure string manipulation functions for converting between Wire 0.1
+ * string form ("alg:hex64") and Wire 0.2 object form ({ alg, value, key_id? }).
+ *
+ * These are opaque references. The schema validates format only.
+ * Issuers compute values externally; verifiers MUST NOT assume
+ * they can recompute the reference.
+ *
+ * Lives in Layer 1 (@peac/schema) because it is pure string manipulation,
+ * not cryptographic computation. Zero dependencies, zero I/O.
+ */
+/**
+ * Wire 0.2 object form of a fingerprint reference
+ */
+export interface FingerprintRefObject {
+    /** Hash algorithm: 'sha256' or 'hmac-sha256' */
+    alg: string;
+    /** Base64url-encoded value */
+    value: string;
+    /** Optional key identifier (for hmac-sha256 references) */
+    key_id?: string;
+}
+/**
+ * Maximum length for fingerprint reference string form.
+ * "hmac-sha256:" (12) + 64 hex chars = 76 chars max.
+ */
+export declare const MAX_FINGERPRINT_REF_LENGTH = 76;
+/**
+ * Parse a Wire 0.1 string form fingerprint reference ("alg:hex64")
+ * into a Wire 0.2 object form ({ alg, value }).
+ *
+ * The hex value is converted to base64url for the object form.
+ *
+ * @param s - String form: "sha256:<64 hex chars>" or "hmac-sha256:<64 hex chars>"
+ * @returns Object form with base64url value, or null if invalid
+ */
+export declare function stringToFingerprintRef(s: string): FingerprintRefObject | null;
+/**
+ * Convert a Wire 0.2 object form fingerprint reference back to
+ * the Wire 0.1 string form ("alg:hex64").
+ *
+ * The base64url value is converted back to hex for the string form.
+ *
+ * @param obj - Object form with alg and base64url value
+ * @returns String form "alg:<64 hex chars>", or null if invalid
+ */
+export declare function fingerprintRefToString(obj: FingerprintRefObject): string | null;
+//# sourceMappingURL=fingerprint-ref.d.ts.map

package/dist/extensions/fingerprint-ref.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint-ref.d.ts","sourceRoot":"","sources":["../../src/extensions/fingerprint-ref.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,8BAA8B;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAuDD;;;GAGG;AACH,eAAO,MAAM,0BAA0B,KAAK,CAAC;AAQ7C;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,CAAC,EAAE,MAAM,GAAG,oBAAoB,GAAG,IAAI,CAc7E;AAED;;;;;;;;GAQG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,oBAAoB,GAAG,MAAM,GAAG,IAAI,CAiB/E"}

package/dist/extensions/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * PEAC Protocol Extension Schemas (v0.11.3+, DD-145 ZT Pack)
+ *
+ * Zero Trust extension schemas for use in ext[] with reverse-DNS keys.
+ */
+export { CredentialEventTypeSchema, CredentialRefSchema, CredentialEventSchema, CREDENTIAL_EVENT_EXTENSION_KEY, CREDENTIAL_EVENTS, validateCredentialEvent, } from './credential-event';
+export type { CredentialEventType, CredentialEvent } from './credential-event';
+export { ToolRegistrySchema, TOOL_REGISTRY_EXTENSION_KEY, validateToolRegistry, } from './tool-registry';
+export type { ToolRegistry } from './tool-registry';
+export { ControlActionTypeSchema, ControlTriggerSchema, ControlActionSchema, CONTROL_ACTION_EXTENSION_KEY, CONTROL_ACTIONS, CONTROL_TRIGGERS, validateControlAction, } from './control-action';
+export type { ControlActionType, ControlTrigger, ControlAction } from './control-action';
+export { CommitmentClassSchema, TreatySchema, TREATY_EXTENSION_KEY, COMMITMENT_CLASSES, validateTreaty, } from './treaty';
+export type { CommitmentClass, Treaty } from './treaty';
+export { stringToFingerprintRef, fingerprintRefToString, MAX_FINGERPRINT_REF_LENGTH, } from './fingerprint-ref';
+export type { FingerprintRefObject } from './fingerprint-ref';
+//# sourceMappingURL=index.d.ts.map

package/dist/extensions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/extensions/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EACL,yBAAyB,EACzB,mBAAmB,EACnB,qBAAqB,EACrB,8BAA8B,EAC9B,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAG/E,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,mBAAmB,EACnB,4BAA4B,EAC5B,eAAe,EACf,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAGzF,OAAO,EACL,qBAAqB,EACrB,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,EAClB,cAAc,GACf,MAAM,UAAU,CAAC;AAClB,YAAY,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAGxD,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,0BAA0B,GAC3B,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/extensions/tool-registry.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Tool Registry Extension Schema (v0.11.3+, DD-145 ZT Pack)
+ *
+ * Records tool registration and capability declarations in
+ * ext["org.peacprotocol/tool_registry"].
+ *
+ * Security: registry_uri validated against URL scheme allowlist
+ * (HTTPS + URN only; no file:// or data:// for SSRF prevention).
+ */
+import { z } from 'zod';
+export declare const TOOL_REGISTRY_EXTENSION_KEY: "org.peacprotocol/tool_registry";
+/**
+ * Tool Registry extension schema
+ */
+export declare const ToolRegistrySchema: z.ZodObject<{
+    tool_id: z.ZodString;
+    registry_uri: z.ZodString;
+    version: z.ZodOptional<z.ZodString>;
+    capabilities: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strict>;
+export type ToolRegistry = z.infer<typeof ToolRegistrySchema>;
+/**
+ * Validate a ToolRegistry object.
+ */
+export declare function validateToolRegistry(data: unknown): {
+    ok: true;
+    value: ToolRegistry;
+} | {
+    ok: false;
+    error: string;
+};
+//# sourceMappingURL=tool-registry.d.ts.map

package/dist/extensions/tool-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-registry.d.ts","sourceRoot":"","sources":["../../src/extensions/tool-registry.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,2BAA2B,EAAG,gCAAyC,CAAC;AAkBrF;;GAEG;AACH,eAAO,MAAM,kBAAkB;;;;;kBAgBpB,CAAC;AAEZ,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE9D;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,OAAO,GACZ;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,YAAY,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAMlE"}

package/dist/extensions/treaty.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Treaty Extension Schema (v0.11.3+, DD-147)
+ *
+ * Records agreement commitment levels in ext["org.peacprotocol/treaty"].
+ * 4-level commitment_class vocabulary: informational, operational, financial, legal.
+ *
+ * Governance: commitment_class is a CLOSED vocabulary. Adding new levels requires
+ * a registry update in registries.json and a minor version bump.
+ *
+ * Terms pairing: when terms_hash is provided alongside terms_ref, the hash
+ * SHOULD correspond to the content at terms_ref. Future enforcement may
+ * verify this binding at verification time.
+ */
+import { z } from 'zod';
+export declare const TREATY_EXTENSION_KEY: "org.peacprotocol/treaty";
+/**
+ * Commitment class vocabulary (DD-147).
+ * Ascending levels of binding commitment.
+ */
+export declare const COMMITMENT_CLASSES: readonly ["informational", "operational", "financial", "legal"];
+export declare const CommitmentClassSchema: z.ZodEnum<{
+    informational: "informational";
+    operational: "operational";
+    financial: "financial";
+    legal: "legal";
+}>;
+export type CommitmentClass = z.infer<typeof CommitmentClassSchema>;
+/**
+ * Treaty extension schema
+ */
+export declare const TreatySchema: z.ZodObject<{
+    commitment_class: z.ZodEnum<{
+        informational: "informational";
+        operational: "operational";
+        financial: "financial";
+        legal: "legal";
+    }>;
+    terms_ref: z.ZodOptional<z.ZodString>;
+    terms_hash: z.ZodOptional<z.ZodString>;
+    counterparty: z.ZodOptional<z.ZodString>;
+    effective_at: z.ZodOptional<z.ZodString>;
+    expires_at: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type Treaty = z.infer<typeof TreatySchema>;
+/**
+ * Validate a Treaty object.
+ */
+export declare function validateTreaty(data: unknown): {
+    ok: true;
+    value: Treaty;
+} | {
+    ok: false;
+    error: string;
+};
+//# sourceMappingURL=treaty.d.ts.map

package/dist/extensions/treaty.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"treaty.d.ts","sourceRoot":"","sources":["../../src/extensions/treaty.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,oBAAoB,EAAG,yBAAkC,CAAC;AAEvE;;;GAGG;AACH,eAAO,MAAM,kBAAkB,iEAAkE,CAAC;AAElG,eAAO,MAAM,qBAAqB;;;;;EAA6B,CAAC;AAChE,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;kBAyBd,CAAC;AAEZ,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAElD;;GAEG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,OAAO,GACZ;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAgB5D"}